Winter 2023 Product Enhancement Recap: Stopping Email Platform Attacks Before They Snowball

During these cold, dark months, Abnormal was heating up, lighting the path to email security success as we released a variety of product enhancements aimed at solving the broader problems surrounding the cloud email platform… How do organizations protect the email platform itself? How can you effectively secure and manage a fragmented, multi-tenant environment? Is there a way to better understand how users are behaving? Is there a singular location where security leaders can see their third-party applications and understand what each one is allowed to do?

We sought to find answers to those questions. A term you’ll hear from Abnormal quite often is “email platform attack,” which is a growing threat to organizations. This segment of the threat landscape involves attacks that tend to skip traditional phishing tactics in favor of directly compromising cloud email environments. One common example is an organization that has not disabled legacy authentication in Microsoft 365. This one, seemingly innocuous configuration allows attackers to bypass MFA entirely—something we saw in the news earlier this year.

So, what has Abnormal actually released this quarter? Let’s dig in.

The first stop on our Winter Wonderland Tour is at our new Knowledge Bases.

You may already be familiar with VendorBase™, a Knowledge Base aimed at detecting unusual vendor activity, scoring vendors based on risk, and blocking those vendors that are deemed to be a threat to your organization. In a similar fashion, these new Knowledge Bases ingest thousands of signals across your cloud email platform to build dynamic behavioral profiles connecting your users, integrated third-party applications, and mail tenants.

Putting this data directly into your Abnormal Portal can enrich investigation when anomalous activity is detected for a given user, as well as enhance your application and tenant hygiene. Better data leads to better decisions, and better decisions lead to a more secure email environment.

AppBase

AppBase centralizes app activity data, permissions, and key metadata for all applications integrated into your cloud email platform. We already see many of our customers using AppBase to uncover previously unknown applications lurking as shadow IT within their cloud email platform.

Beyond this hygiene use case though, AppBase can be used to identify risky applications—whether over-permissioned or simply unusual—and then track ongoing activity to conduct a thorough and expeditious investigation. AppBase helps you discover whether the app is truly malicious, or if it’s a simple case of a savvy user skirting install policies to download a fancy new calendar extension.

At the end of the day, either scenario presents a risk, and it’s crucial to identify it so you can determine the next course of action.

PeopleBase

Applications don’t install themselves, so the nexus for all suspicious activity is often the users in your environment. PeopleBase provides a directory of each of the active users on your cloud email platform. It uses contextual, behavioral data to build a dynamic user genome, along with an activity timeline of recent events such as sign-on patterns, suspicious email activity, common devices and IP addresses, and more.

PeopleBase provides insight into malicious email trends for a given user, configuration changes that user has executed, and applications the user has recently installed. And in addition, Abnormal paints a comprehensive portrait of who your users are, where they are, and what they’re doing—helping you then determine if they are who they say they are.

TenantBase

Whether you have one mail tenant or fifty, these hubs of activity that ultimately constitute the surface of the cloud email platform can open the door to a variety of risks. TenantBase provides a catalog of each of the email tenants Abnormal Security protects, along with a running timeline that documents changes to conditional access policies, new users, user privilege changes, and new app integrations. Many recent attacks have been executed by attackers gaining access and compromising mail tenants, so it is critical to remain aware of changes as they occur.

All three new Knowledge Bases, as well as the existing VendorBase, are now available for free inside the Abnormal platform.

With any great snowman, you need a robust base: the Knowledge Bases. But think of Security Posture Management,our newest add-on product, as the body, coal, and carrot of your Abnormal Frosty.

Security Posture Management uses the data within the behavioral profiles built by PeopleBase, AppBase, and TenantBase to determine when a potentially harmful or unexpected configuration change has occurred. It then highlights these changes to administrators, helping security teams understand and take action to fill configuration gaps, as Abnormal works to improve the risk posture of cloud email environments.

With dynamic monitoring aimed at surfacing only high-impact changes to cut down on noise, actionable configuration insights to help you understand exactly what occurred, and workflow management that provides a quick path to acknowledge and identify next steps, Security Posture Management completes the cloud email security puzzle by proactively defending against email platform threats. Meanwhile, Abnormal’s best-in-class Inbound Email Security continues to handle those threat actors in the inbox.

What do holding companies and organizations that have undergone a recent merger or acquisition have in common? First, probably something about winter since that’s the theme of the article… Perhaps they are in the middle of a financial freeze? Secondly, they need a way to effectively manage and secure multiple mail tenants.

Abnormal has answered this call with its new Multi-Tenant Management functionality. Gone are the days of long and arduous processes to manually link new tenants to the Abnormal portal. In three simple steps, our customers can now add a child tenant and then configure appropriate role-based access controls (RBAC) as needed. Here is the workflow:

1. Navigate to Settings and click Add New Tenants.

2. Name the new tenant.

3. Grant access to the workspace.

I don’t know about you, readers, but I’m exhausted from typing that. I need a hot chocolate.

Winter may be on its way out, but Abnormal is just getting started this year. Schedule a demo today to discover more from Abnormal, or if you’re already a customer, chat with our customer success team to receive answers to all of your questions.

Either way, be on the lookout for our Spring update … and beyond. Happy recap to all, and to all a good night.

Interested in learning more about the Abnormal platform? Schedule a demo today!